b"              \xc2\xa0\n\n              \xc2\xa0\n\n              \xc2\xa0      U.S.\xc2\xa0ENVIRONMENTAL\xc2\xa0PROTECTION\xc2\xa0AGENCY\xc2\xa0\n\n              \xc2\xa0      OFFICE\xc2\xa0OF\xc2\xa0INSPECTOR\xc2\xa0GENERAL\xc2\xa0\n\n\n\n\n                     Controls Over EPA\xe2\x80\x99s\n                     Compass Financial System\n                     Need to Be Improved\n                     Report No. 13-P-0359                    August 23, 2013\n\n\n\n\nScan this mobile\ncode to learn more\nabout the EPA OIG.\n\x0cReport Contributors:\t                              Rudolph M. Brevard\n                                                   Michael Goode\n                                                   Sabrena Stewart\n                                                   Eric Jackson\n                                                   Gina Ross\n                                                   Teresa Richardson\n\n\n\n\nAbbreviations\n\nAICPA         American Institute of Certified Public Accountants\nCFO           Chief Financial Officer\nEPA           U.S. Environmental Protection Agency\nNIST          National Institute of Standards and Technology\nOCFO          Office of the Chief Financial Officer\nOIG           Office of Inspector General\nOMB           Office of Management and Budget\nQASP          Quality Assurance Surveillance Plan\n\n\n\n\n  Hotline\n  To report fraud, waste, or abuse, contact us through one of the following methods:\n\n  email:     OIG_Hotline@epa.gov                      write:    EPA Inspector General Hotline\n  phone:     1-888-546-8740                                     1200 Pennsylvania Avenue, NW\n  fax:       202-566-2599                                       Mailcode 2431T\n  online:    http://www.epa.gov/oig/hotline.htm                 Washington, DC 20460\n\x0c                        U.S. Environmental Protection Agency \t                                                13-P-0359\n                                                                                                         August 23, 2013\n                        Office of Inspector General\n\n\n                        At a Glance\n\nWhy We Did This Review              Controls Over EPA\xe2\x80\x99s Compass Financial\nWe conducted this audit to          System Need to Be Improved\ndetermine what steps the\nU.S. Environmental Protection        What We Found\nAgency took to ensure that\ninternal controls over the          Processes were not in place to monitor performance of the EPA Office of the\nfinancial reporting by Compass      Chief Financial Officer\xe2\x80\x99s third party service provider of Compass. Also, OCFO\nFinancials have been designed       security personnel were not aware of Compass security roles and\nappropriately and are operating     responsibilities. This lack of oversight:\neffectively. We also sought to\ndetermine the extent of the            \xef\x82\xb7   Inhibits the EPA\xe2\x80\x99s ability to achieve agreed-upon performance levels and\nEPA\xe2\x80\x99s reliance on its service              correctly pay for services rendered.\norganization to make assertions        \xef\x82\xb7   Decreases the likelihood that an effective security posture will be\nabout the effectiveness of its             maintained.\ninternal controls over financial\nreporting. Additionally, we         Further, disaster recovery exercise plans did not include testing of data\nreviewed the EPA\xe2\x80\x99s oversight        replication processes critical to financial reporting, resulting in the EPA having\nstrategy for key Compass            no assurance that Compass will operate as designed during a disaster.\nprocesses.\n                                    Recommendations and Planned Agency Corrective Actions\nIn October 2011, the EPA\nreplaced its legacy financial       We recommended that the Chief Financial Officer develop a process to monitor\nmanagement system. The new          and evaluate, on a monthly basis, the service provider\xe2\x80\x99s performance and adjust\nsystem, Compass, was                service level requirements accordingly. Further, we recommended that the CFO\ndeveloped and is currently          communicate key roles and responsibilities to designated security personnel,\nhosted by a third party service     and test Compass data replication during a functional disaster recovery\nprovider. During fiscal year        exercise.\n2012, the EPA used Compass to\nproduce its financial statements    OCFO did not agree with our recommendations in the draft report. We met with\nthat were submitted to the Office   and reviewed documentation provided by OCFO related to recommendations 1\nof Management and Budget and        through 3. Our review determined that OCFO made progress in addressing our\nCongress.                           findings related to management oversight of service provider performance and\n                                    the OIG has agreed to amend recommendations 1 through 3 to reflect this\nThis report addresses the           progress. The OIG also considers corrective actions taken by OCFO prior to the\nfollowing EPA Goal or               issuance of the draft report in response to recommendation 4 to be sufficient to\nCross-Cutting Strategy:             close this recommendation. We also amended recommendation 5 to reflect\n                                    agreed-upon alternative corrective actions that OCFO should take to address\n\xef\x82\xb7   Strengthening EPA's             our findings related to Compass disaster recovery. OCFO concurred with these\n    workforce and capabilities.     changes.\n\nFor further information, contact    After these amendments, we recommended that the CFO finalize internal\nour Office of Congressional and     procedures used for reviewing the service provider\xe2\x80\x99s performance, continue to\nPublic Affairs at (202) 566-2391.   review service provider performance on a monthly basis and document results\nThe full report is at:\n                                    of the monthly meetings, finalize the revised Quality Assurance Surveillance\nwww.epa.gov/oig/reports/2013/       Plan that includes revised service level requirements to accurately assess\n20130823-13-P-0359.pdf              service provider performance, and test inherent Compass financial reporting\n                                    capabilities during a functional disaster recovery exercise.\n\x0c                           UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                        WASHINGTON, D.C. 20460\n\n\n\n                                                                                     THE INSPECTOR GENERAL\n\n\n\n\n                                            August 23, 2013\n\nMEMORANDUM\n\nSUBJECT:       Controls Over EPA\xe2\x80\x99s Compass Financial System Need to Be Improved\n               Report No. 13-P-0359\n\nFROM:          Arthur A. Elkins Jr.\n\nTO:            Maryann Froehlich, Acting Chief Financial Officer\n\nThis is our report on the subject audit conducted by the Office of Inspector General of the\nU.S. Environmental Protection Agency. This report contains findings that describe the problems\nthe OIG identified and the corrective actions the OIG recommends. This report represents the opinion of\nthe OIG and does not necessarily represent the final EPA position. The EPA agreed with all five\nrecommendations. These recommendations are considered unresolved pending our receipt of the EPA\xe2\x80\x99s\ncorrective action plan and estimated completion dates.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide planned corrective actions and\ncompletion dates for all unresolved recommendations within 60 calendar days. Your response will be\nposted on the OIG\xe2\x80\x99s public website, along with our memorandum commenting on your response. Your\nresponse should be provided as an Adobe PDF file that complies with the accessibility requirements of\nSection 508 of the Rehabilitation Act of 1973, as amended. The final response should not contain data\nthat you do not want to be released to the public; if your response contains such data, you should\nidentify the data for the redaction or removal along with corresponding justification. We will post this\nreport to our website at http://www.epa.gov/oig.\n\nIf you or your staff have any questions regarding this report, please contact Richard Eyermann at\n(202) 566-0565 or eyermann.richard@epa.gov, or Rudolph M. Brevard at (202) 566-0893 or at\nbrevard.rudy@epa.gov.\n\x0cControls Over EPA\xe2\x80\x99s Compass                                                                                               13-P-0359\nFinancial System Need to Be Improved\n\n\n                                  Table of Contents \n\n\nChapters\n   1\t   Introduction .......................................................................................................       1\n\n\n                Purpose .......................................................................................................    1    \n\n                Background .................................................................................................       1    \n\n                Scope and Methodology ..............................................................................               1    \n\n\n   2\t   Management Oversight of Compass Service Provider \n\n        Needs Improvement ..........................................................................................               3\n\n\n                OCFO Does Not Have a Process to Evaluate\n                     Service Provider Performance...........................................................                       3\n\n                Recommendations ......................................................................................             4        \n\n                Agency Response and OIG Evaluation .......................................................                         4\n\n\n   3\t   Compass Security and Disaster Recovery\n\n        Process Improvements Needed........................................................................                        6\n\n\n                Lack of Knowledge of Key Security Processes Inhibits \n\n                       EPA\xe2\x80\x99s Ability to Handle Risks ...........................................................                   6\n\n                Critical Data Replication Function Not Tested for \n\n                       Contingency Operations ....................................................................                 6\n\n                Recommendations ......................................................................................             7\n\n                Agency Response and OIG Evaluation .......................................................                         7\n\n\n   Status of Recommendations and Potential Monetary Benefits..............................                                         9\n\n\n\n\nAppendices\n   A\t   Agency Response to Draft Report....................................................................                       10\n\n\n   B\t   Distribution .........................................................................................................    13\n\n\x0c                                  Chapter 1\n\n                                   Introduction\nPurpose\n            The Office of Inspector General of the U.S. Environmental Protection Agency\n            conducted this audit to determine what steps the EPA took to ensure that internal\n            controls over the financial reporting by Compass Financials have been designed\n            appropriately and are operating effectively. We also sought to determine the\n            extent of the EPA\xe2\x80\x99s reliance on its service organization to make assertions about\n            the effectiveness of its internal controls over financial reporting. Further, we\n            reviewed the agency\xe2\x80\x99s strategy for overseeing key Compass processes.\n\nBackground\n            In October 2011, the EPA\xe2\x80\x99s Office of the Chief Financial Officer replaced its\n            legacy financial management system (the Integrated Financial Management\n            System) with a new system\xe2\x80\x94Compass. Compass was developed and is hosted by\n            a third party service provider. The EPA indicated the objectives of Compass are\n            to:\n\n               \xef\x82\xb7\t Achieve or enhance process improvements and cost savings in the\n                  acquisition, development, implementation, and operation of financial\n                  management systems through shared services, joint procurements,\n                  consolidation, and other means.\n\n               \xef\x82\xb7\t Provide for standardization of business processes and data elements.\n\n               \xef\x82\xb7\t Promote seamless data exchange between and among federal agencies.\n\n               \xef\x82\xb7\t Strengthen internal controls through real-time interoperability of core\n                  financial and subsidiary systems.\n\nScope and Methodology\n            We performed this audit from February 2012 to May 2013 at EPA headquarters in\n            Washington, D.C., and at the third party service provider\xe2\x80\x99s data center in Phoenix,\n            Arizona. We performed this audit in accordance with generally accepted\n            government auditing standards. Those standards require that we plan and perform\n            the audit to obtain sufficient and appropriate evidence to provide a reasonable\n            basis for our findings and conclusions based on the audit objectives.\n\n\n\n13-P-0359                                                                                    \xc2\xa01\n\x0c            We conducted the review of Compass key processes and its third party service\n            provider\xe2\x80\x99s expected service level goals. Further, we reviewed the agency\xe2\x80\x99s\n            strategy for monitoring the third party service provider\xe2\x80\x99s performance. We also\n            reviewed steps taken to ensure that internal controls over financial reporting have\n            been designed appropriately and are operating effectively.\n\n            Our criteria included agency security plans and policies and the National Institute\n            of Standards and Technology Special Publication 800-53, Recommended Security\n            Controls for Federal Information Systems and Organizations. The evaluation of\n            these controls and agency guidance were carried out through inquiry, observation,\n            and review of documentation.\n\n            We identified issues during this audit regarding the ability of the agency\xe2\x80\x99s Compass\n            service provider to assess the design and operating effectiveness of controls over\n            business processes affecting the EPA. We reported them in EPA OIG Report No.\n            13-1-0054, Audit of EPA\xe2\x80\x99s Fiscal 2012 and 2011 Consolidated Financial\n            Statements, because of the potential impact these issues could have on the agency\xe2\x80\x99s\n            ability to conduct reliable financial reporting. Since the publishing of the agency\xe2\x80\x99s\n            financial statement audit report, OCFO has concurred with our findings in this area\n            and is in the process of taking steps to address the deficiencies noted.\n\n\n\n\n13-P-0359                                                                                     \xc2\xa02\n\x0c                                   Chapter 2\n\n             Management Oversight of Compass \n\n            Service Provider Needs Improvement\n\xc2\xa0\n            Internal agency processes were not in place to monitor performance of OCFO\xe2\x80\x99s\n            third party service provider for Compass. Federal and agency guidance requires\n            the timely review and monitoring of a service provider\xe2\x80\x99s performance. This lack\n            of oversight inhibits the EPA\xe2\x80\x99s ability to achieve agreed-upon performance levels\n            and correctly pay for services rendered.\n\nOCFO Does Not Have a Process to Evaluate Service Provider\nPerformance\n            OCFO had not established an internal process for how it would conduct a review\n            of service provider performance. Though OCFO had a QASP in place that stated\n            that it would review service provider performance, the EPA had not documented\n            how its internal review process would be performed. OCFO only asserted that it\n            had assembled a team of OCFO personnel to review service provider\n            performance, but roles and responsibilities had not been determined. Office of\n            Management and Budget Circular A-127, Financial Management Systems, states\n            that agencies must monitor their service providers\xe2\x80\x99 performance. The EPA\xe2\x80\x99s\n            Contracts Management Manual also states that the program office\xe2\x80\x99s contracting\n            officer\xe2\x80\x99s representative is responsible for overseeing contractor performance and\n            notifying the contracting officer as to whether the contractor met established\n            performance standards. Lack of documented internal procedures for the EPA\xe2\x80\x99s\n            review of its service provider inhibits the EPA\xe2\x80\x99s ability to ensure that the service\n            provider internal reviews are conducted in a manner consistent with EPA policy\n            and executive branch directives.\n\n            Proposed Quarterly Review Not Timely\n\n            At the time of this review, OCFO had not documented an internal process to\n            review service provider performance. However, OCFO has discussed reviewing\n            service provider performance on a quarterly basis. We were encouraged that\n            OCFO had begun to discuss how it will review contractor performance, but this\n            review must occur more frequently. OMB Circular A-127 states that agencies\n            must ensure that service failures are resolved promptly. In addition, EPA\xe2\x80\x99s\n            Contracts Management Manual requires a monthly review of a contractor\xe2\x80\x99s\n            progress reports. Limiting the review of performance to a quarterly basis increases\n            the risk that oversight of performance will not be timely.\n\n\n\n\n13-P-0359                                                                                      \xc2\xa03\n\x0c            Service Level Requirements Have Not Been Adjusted\n\n            OCFO and its service provider had not adjusted service level requirements by the\n            end of the burn-in period as agreed. OCFO uses the service level requirements to\n            measure service provider performance. Service level requirements are also used to\n            calculate penalties for nonperformance. OCFO agreed to a 6-month burn-in\n            period in which the EPA and its service provider would work together to review\n            performance thresholds and measurement methods, and make adjustments as\n            necessary. The EPA agreed not to assess penalties during the burn-in period. After\n            the burn-in period, OCFO agreed to measure its service provider\xe2\x80\x99s performance\n            based on the adjusted service level requirements metrics. The burn-in period has\n            ended and OCFO and its service provider are still reviewing the service level\n            requirements. OCFO anticipates reducing the number of service level\n            requirements to refine the performance metrics and better assess where penalties\n            can be applied. However, by not having adjusted service level requirements in\n            place by the end of the burn-in period, OCFO cannot accurately measure and\n            evaluate its service provider\xe2\x80\x99s performance.\n\n            We met with OCFO representatives to discuss our findings related to oversight of\n            the service provider\xe2\x80\x99s performance. OCFO management stated that they\n            assembled a team to conduct performance reviews. OCFO also submitted to the\n            audit team an informal standard operating procedure for reviewing service\n            provider performance. Our review of the information provided by OCFO\n            disclosed that while the agency started taking steps to review the service\n            provider\xe2\x80\x99s performance, management had not yet finalized its processes or\n            documented the results of its monthly meetings.\n\nRecommendations\n            We recommend that the chief financial officer:\n\n               1.\t Finalize internal procedures used for reviewing the service provider\xe2\x80\x99s\n                   performance.\n\n               2.\t Continue to review service provider performance on a monthly basis and\n                   document results of the monthly meetings.\n\n               3.\t Finalize the revised Quality Assurance Surveillance Plan that includes the\n                   revised service level requirements to accurately assess service provider\n                   performance.\n\nAgency Response and OIG Evaluation\n            OCFO initially disagreed with our recommendations regarding service provider\n            performance. OCFO stated they did not believe the draft report accurately\n            reflected the state of the EPA\xe2\x80\x99s oversight of the service provider. OCFO\n\n13-P-0359                                                                                   \xc2\xa04\n\x0c            specifically noted that the draft report did not acknowledge that the EPA had a\n            QASP that outlines its oversight procedures. While the EPA had a QASP, roles\n            and responsibilities had not been determined for the team responsible for\n            performing oversight nor had formalized processes been developed to ensure\n            consistent review of the service provider\xe2\x80\x99s performance. However, we updated the\n            report to acknowledge the existence of the QASP. Furthermore, we met with and\n            reviewed additional documentation provided by OCFO related to their\n            disagreement with recommendations 1-3. Our review of provided documentation\n            determined that OCFO has made progress in addressing our findings related to\n            management oversight of service provider performance and the OIG agreed to\n            amend recommendations 1 - 3 to reflect this progress. OCFO concurred with\n            these changes.\n\n\n\n\n13-P-0359                                                                                 \xc2\xa05\n\x0c                                    Chapter 3\n\n            Compass Security and Disaster Recovery \n\n               Process Improvements Needed\n\xc2\xa0\n             OCFO security personnel were not aware of Compass security roles and\n             responsibilities. Federal guidance states that a management official\n             knowledgeable in the nature of the information should be assigned security\n             responsibilities for each major application. This lack of knowledge greatly\n             decreases the likelihood that an effective security posture will be maintained.\n             Also, disaster recovery exercises did not test data replication processes vital to\n             financial reporting. Federal guidance states that contingency plan testing should\n             be conducted in real or near-real time, to allow participants to carry out their roles\n             and responsibilities as realistically as possible. Without conducting disaster\n             recovery testing that includes all components, the EPA cannot be assured that\n             Compass will operate as designed during a disaster.\n\nLack of Knowledge of Key Security Processes Inhibits EPA\xe2\x80\x99s\nAbility to Handle Risks\n\n             OCFO has defined system security processes for Compass, but staff assigned key\n             system security duties were not knowledgeable about processes, roles, and\n             responsibilities. OMB Circular A-130, Appendix III, Security of Federal\n             Automated Information Resources, states that responsibility for security should be\n             assigned to those knowledgeable in the nature of those security tasks assigned to\n             them. When we interviewed personnel responsible for Compass security\n             incidents, they were unable to convey how security incidence responses are\n             handled or identify their role and responsibilities within the process. Also, some\n             of the personnel who were documented in the Compass system security plan as\n             having assigned security roles were unaware that they were listed in the system\n             security plan or that they were points of contact for the oversight of key security\n             controls. Lack of knowledge regarding security roles and responsibilities could\n             result in the ineffective design and operation of Compass security controls.\n\nCritical Data Replication Function Not Tested for\nContingency Operations\n             OCFO did not include data replication in its Compass disaster recovery testing\n             plans. Financial data entered into Compass is replicated from the Compass\n             hosting location to the EPA\xe2\x80\x99s Research Triangle Park data center. The replicated\n             data feed the Compass Data Warehouse, which generates the agency\xe2\x80\x99s financial\n             reports. If data replication is not functioning during a disaster, the Compass Data\n             Warehouse cannot generate financial reports. The Contingency Plan and Exercise\n\n13-P-0359                                                                                        \xc2\xa06\n\x0c            section within NIST Special Publication 800-53, Recommended Security Controls\n            for Federal Information Systems and Organizations, states that organizations\n            should demonstrate realistic test/exercise scenarios that effectively stress the\n            information system and support the Agency\xe2\x80\x99s mission. In addition, NIST Special\n            Publication 800-84, Guide to Test, Training, and Exercise Programs for IT Plans\n            and Capabilities, states that functional exercises are typically conducted in real or\n            near-real time and prompt participants to carry out their roles and responsibilities\n            as realistically as possible. Without including data replication testing in functional\n            disaster recovery exercise plans, the EPA has no assurance that Compass will\n            operate as designed during a disaster.\n\n            We met with OCFO representatives to discuss their concerns regarding our\n            disaster recovery audit findings. OCFO representatives stated that disaster\n            recovery exercise plans would still not include testing of Compass data replication\n            and maintain that Compass has the ability to carry out reporting functions in the\n            event of a disaster. As such, they maintain, that testing data replication to the\n            Compass data warehouse is not necessary. However, if the EPA relies upon\n            Compass reporting capabilities during a disaster, the agency should have a plan to\n            test its capability. Our review of the EPA\xe2\x80\x99s disaster recovery results revealed that\n            management had not taken steps to identify key Compass reports that require\n            testing during disaster recovery exercises\n\nRecommendations\n            We recommend that the chief financial officer:\n\n               4.\t Communicate key roles and responsibilities to designated security\n                   personnel.\n\n               5.\t Test inherent Compass financial reporting capabilities during a functional\n                   disaster recovery exercise.\n\nAgency Response and OIG Evaluation\n\n            OCFO completed agreed upon corrective actions associated with recommendation\n            4 prior to the issuance of the draft report. The OIG considers corrective actions\n            taken to be sufficient to address our findings and have closed this\n            recommendation. OCFO did not agree with our recommendation to test the\n            COMPASS data replication as part of the disaster recovery exercise. OCFO stated\n            that data replication is not a mission-critical component of the agency\xe2\x80\x99s\n            contingency planning and disaster recovery processes. We met with OCFO to\n            discuss their concerns and reviewed the latest disaster recovery test results. While\n            the EPA does not rely on data replication for its financial reporting capabilities\n            during a disaster, management does rely upon the COMPASS inherent reporting\n            capabilities during contingencies. As such, the OIG believes it is incumbent upon\n            management to have a process to test the most critical COMPASS reporting\n\n13-P-0359                                                                                       \xc2\xa07\n\x0c            functions during disaster recovery exercises. As a result of our meeting, the OIG\n            agreed to amend the recommendation to reflect agreed upon alternative corrective\n            actions that OCFO should take to address our finding in this area. OCFO\n            concurred with this change.\n\n\n\n\n13-P-0359                                                                                  \xc2\xa08\n\x0c                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                           POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                         BENEFITS (in $000s)\n\n                                                                                                               Planned\n    Rec.    Page                                                                                              Completion   Claimed    Agreed-To\n    No.      No.                          Subject                         Status1      Action Official           Date      Amount      Amount\n\n     1        4     Finalize internal procedures used for reviewing the     U       Chief Financial Officer\n                    service provider\xe2\x80\x99s performance.\n\n     2        4     Continue to review service provider performance         U       Chief Financial Officer\n                    on a monthly basis and document results of the\n                    monthly meetings.\n\n     3        4     Finalize the revised Quality Assurance Surveillance     U       Chief Financial Officer\n                    Plan that includes revised service level\n                    requirements to accurately access service provider\n                    performance.\n\n     4        7     Communicate key roles and responsibilities to           C       Chief Financial Officer    12/13/12\n                    designated security personnel.\n\n     5        7     Test inherent Compass financial reporting               U       Chief Financial Officer\n                    capability during a functional disaster recovery\n                    exercise.\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is unresolved with resolution efforts in progress\n\n\n\n\n13-P-0359                                                                                                                                     \xc2\xa09\n\x0c                                                                                    Appendix A\n\n                  Agency Response to Draft Report\nMEMORANDUM\n\nSUBJECT: \t Response to the Office of Inspector General Draft Report No. OMS-FY12-0002\n           \xe2\x80\x9cControls Over EPA\xe2\x80\x99s Compass Financial System Need to Be Improved,\xe2\x80\x9d dated\n           May 23, 2013\n\nFROM:          Maryann Froehlich\n               Acting Chief Financial Officer\n\nTO:\t           Arthur A. Elkins, Jr.\n               Inspector General\n\nThank you for the opportunity to respond to the issues and recommendations in the subject draft\naudit report. Following is a summary of the agency\xe2\x80\x99s overall position, along with its position on\neach of the report recommendations. For the report recommendations with which the agency\ndoes not agree, we have explained our position and proposed alternatives to recommendations.\n\nAGENCY\xe2\x80\x99S OVERALL POSITION\n\nWe do not believe the draft report accurately reflects the state of EPA oversight of our service\nprovider\xe2\x80\x99s performance or the information provided to the auditors. We do not agree with\nrecommendation numbers 1-3. Auditors, who met with my staff in the Office of Technology\nSolutions (OTS) last year, were informed that the initial process for reviewing service provider\nperformance was going to be changed. The draft report does not acknowledge that there was, and\nis, such a process as is defined in our Quality Assurance Surveillance Plan (QASP). We are in\nthe midst of negotiating changes to the existing QASP that will modify our process for reviewing\ncontractor performance. Even though these negotiations are still in progress, we are not without a\nQASP as the current QASP remains fully in effect and operative.\n\nThe QASP (provided to the auditors) documents the service level requirements to which the\nservice provider is held. The service provider does submit monthly reports on these requirements\nand performance is discussed at monthly review meetings, as required in the Contracts\nManagement Manual, contrary to the draft finding. The reference in the draft report regarding,\n\xe2\x80\x9dreviewing service provider performance on a quarterly basis,\xe2\x80\x9d is a documented evaluation in\naddition to the monthly review and informal feedback routinely provided to the service provider.\n\nWe do not agree with recommendation number 4 on communicating responsibilities to security\npersonnel as this action was completed prior to issuance of the draft report. OTS, in a July 16,\n2012, memorandum to the audit team, offered to provide refresher training on security roles and\nresponsibilities to staff. When the training was held on December 13, 2012, OTS sent the audit\n\n\n13-P-0359                                                                                      \xc2\xa010\n\x0cteam an email on the same date that informed them that OTS personnel had been briefed on\nsecurity roles/responsibilities and provided the audit team a copy of the training presentation.\n\nWe also do not agree with recommendation number 5 on testing data replication during a disaster\nrecovery exercise. Mission-critical transactional data is maintained in the core financial system\nand this system is subject to contingency planning and disaster recovery. Since the data\nreplication process represents the creation of a local copy of this transactional data, we submit\nthat this process is not mission-critical and should not be included in disaster recovery exercises.\nOIG acknowledges that there is no requirement to include replication in disaster recovery and\nhas not presented a reason to justify the allocation of scarce resources to do so.\n\nAGENCY\xe2\x80\x99S RESPONSE TO REPORT RECOMMENDATIONS\n\nNo.     Recommendation                 Agency Explanation/Response          Proposed Alternative\n1       Develop a process to           EPA has a process in place and       Complete and implement\n        monitor service provider       is negotiating changes to update     adjusted service level\n        performance.                   it.                                  requirements to accurately\n                                                                            assess service provider\n                                                                            performance.\n2       Review and evaluate            Service provider performance is      Evaluate service provider\n        service provider               discussed at monthly meetings.       performance on a quarterly\n        performance on a monthly       We believe quarterly written         basis. Continue reviewing\n        basis.                         evaluation is sufficient when        performance at monthly\n                                       combined with the monthly            meetings.\n                                       meetings.\n3       Adjust service level           As noted above, EPA is in the        Complete and implement\n        requirements to accurately     process of making such               adjusted service level\n        assess service provider        adjustments. OIG was informed        requirements to accurately\n        performance.                   that this effort would occur.        assess service provider\n                                                                            performance.\n4       Communicate key roles and      EPA assigns certain security         Remove or acknowledge that\n        responsibilities to            roles by signed memorandum.          corrective action was taken\n        designated security            Additionally, OIG was informed       prior to the draft report.\n        personnel.                     on 12/13/12 of an Office-wide\n                                       briefing on this subject.\n5       Test Compass data              Replication is not mission-          Delete this recommendation.\n        replication during a           critical. The transactional system\n        functional disaster recovery   is key; reporting/feeder systems\n        exercise.                      do not qualify for recovery.\n\nWe would welcome the opportunity to meet with OIG staff and discuss our concerns with the\ndraft recommendations. If you have any questions regarding this response, please contact\nQuentin Jones, Director, Office of Technology Solutions, on (202) 564-0373 or Susan\nLindenblad, OTS Audit Liaison, on (202) 566-2890.\n\n\n\n\n13-P-0359                                                                                                \xc2\xa011\n\x0ccc: \tRichard Eyerman, Acting Assistant Inspector General for Audit\n     David Bloom Acting Deputy Chief Financial Officer\n     Joshua Baylson, Associate Chief Financial Officer\n     Quentin Jones, Director, Office of Technology Solutions\n     Robert Hill, Deputy Director, Office of Technology Solutions\n\n\n\n\n13-P-0359                                                            \xc2\xa012\n\x0c                                                                            Appendix B\n\n                                    Distribution\nOffice of the Administrator\nChief Financial Officer\nAgency Follow-Up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nDeputy Chief Financial Officer\nAudit Follow-Up Coordinator, Office of the Chief Financial Officer\n\n\n\n\n13-P-0359                                                                           \xc2\xa013\n\x0c"